Skip to content

Commit 4c6afd2

Browse files
gherynosgherynos
committed
Updated readme
1 parent 9002fff commit 4c6afd2

File tree

2 files changed

+76
-1
lines changed

2 files changed

+76
-1
lines changed

.markdownlint.json

+3
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,3 @@
1+
{
2+
"MD013": false
3+
}

README.md

+73-1
Original file line numberDiff line numberDiff line change
@@ -1 +1,73 @@
1-
# vault-backend
1+
# Vault Backend
2+
3+
[![pre-commit](https://img.shields.io/badge/pre--commit-enabled-brightgreen?logo=pre-commit&logoColor=white)](https://github.com/pre-commit/pre-commit)
4+
5+
A Terraform [HTTP backend](https://www.terraform.io/docs/backends/types/http.html) that stores the state in a [Vault secret](https://www.vaultproject.io/docs/secrets/kv/kv-v2).
6+
7+
The server supports locking and leverages the versioning capabilities of Vault by creating a new secret version when creating/updating the state.
8+
9+
## Terraform config
10+
11+
The server authenticates to Vault using [AppRole](https://www.vaultproject.io/docs/auth/approle), with `role_id` and `secret_id` passed respectively as the `username` and `password` in the configuration.
12+
13+
```terraform
14+
terraform {
15+
backend "http" {
16+
address = "http://localhost:8080/state/<STATE_NAME>"
17+
lock_address = "http://localhost:8080/state/<STATE_NAME>"
18+
unlock_address = "http://localhost:8080/state/<STATE_NAME>"
19+
20+
username = "<VAULT_ROLE_ID>"
21+
password = "<VAULT_SECRET_ID>"
22+
}
23+
}
24+
```
25+
26+
where `<STATE_NAME>` is an arbitrary value used to distinguish the backends.
27+
28+
With the above configuration, Terraform connects to a vault-backend server running locally on port 8080 when loading/storing/locking the state, and the server manages the following secrets in Vault:
29+
30+
- `/secret/vbk/<STATE_NAME>`
31+
- `/secret/vbk/<STATE_NAME>-lock`
32+
33+
The latter created when a lock is acquired and deleted when released.
34+
35+
## Vault Backend config
36+
37+
The following environment variables can be set to change the configuration:
38+
39+
- `VAULT_URL` (default `http://localhost:8200`) the URL of the Vault server
40+
- `VAULT_PREFIX` (default `vbk`) the prefix used when storing the secrets
41+
- `LISTEN_ADDRESS` (default `0.0.0.0:8080`) the listening address and port
42+
- `DEBUG` to enable verbose logging
43+
44+
## Vault policy
45+
46+
The policy associated to the AppRole used by the server needs to grant access to the secrets.
47+
48+
I.e., for a `<STATE_NAME>` set as `cloud-services` and the default `VAULT_PREFIX`:
49+
50+
```vault
51+
path "secret/data/vbk/cloud-services"
52+
{
53+
capabilities = ["create", "read", "update"]
54+
}
55+
56+
path "secret/data/vbk/cloud-services-lock"
57+
{
58+
capabilities = ["create", "read", "update"]
59+
}
60+
61+
path "secret/metadata/vbk/cloud-services-lock"
62+
{
63+
capabilities = ["delete"]
64+
}
65+
```
66+
67+
## Author
68+
69+
> GitHub [@gherynos](https://github.com/gherynos)
70+
71+
## License
72+
73+
vault-backend is licensed under the [Apache License, Version 2.0](http://www.apache.org/licenses/LICENSE-2.0).

0 commit comments

Comments
 (0)